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Abstract — We  study  attacks  by  adversaries  which  aim  to 
compromise  links  in  a  wireless  sensor  network  through  various 
techniques  which  are  modeled  using  the  set-covering  problem.  We 
discnss  the  effects  of  the  attacks  and  present  techniques  which 
can  be  used  to  mitigate  the  effects  of  the  attacks.  Furthermore,  we 
analyze  the  performance  of  various  key  predistribution  schemes 
with  and  without  the  mitigation  techniques. 

1.  Introduction 

The  use  of  large-scale  wireless  sensor  networks  (WSNs) 
in  hostile  environments  requires  the  development  of  secure 
decentralized  protocols.  The  difficulties  in  developing  such 
protocols  lay  in  the  sensor  node  limitations  such  as  wireless 
radio  range,  battery  energy,  and  computational  capability.  The 
restrictions  on  the  computational  capability  of  WSN  nodes 
lead  to  the  common  assumption  that  secure  protocols  can  rely 
only  on  symmetric  key  cryptography. 

A  promising  solution  for  the  establishment  of  symmetric 
keys  in  WSN  applications  is  key  predistribution,  studied  in 
various  papers  (e.g.  [1]-[10]).  Especially,  we  focus  on  the 
framework  presented  in  [4]  that  consists  of  three  phases:  key 
assignment,  shared-key  discovery,  and  path-key  establishment. 
In  a  key  predistribution  scheme  (KPS),  seeds  are  distributed  to 
sensor  nodes  prior  to  network  deployment.  After  deployment 
of  the  WSN,  the  shared-key  discovery  phase  takes  place,  where 
two  nodes  in  wireless  communication  range  determine  the 
existence  of  shared  seeds.  If  the  two  nodes  share  seeds,  a 
link  key  can  be  computed  as  a  function  of  one  or  more  of  the 
shared  seeds.  The  path-key  establishment  phase  takes  place  if 
there  is  no  common  seed  between  a  pair  of  nodes  in  wireless 
communication  range.  In  this  case,  the  nodes  find  a  path  of 
secure  links  between  them  and  transfer  a  key  in  encrypted 
form  via  the  path. 

The  concepts  of  key  predistribution  in  [4]  have  also  been 
combined  with  the  key  establishment  schemes  of  [I],  [2]  based 
on  threshold  secret-sharing.  In  the  framework  of  [10],  each 
node  is  assigned  a  share  from  each  of  K  polynomials  ran¬ 
domly  selected  from  a  pool  of  P  bivariate  polynomials.  Any 
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pair  of  nodes  which  contain  shares  of  a  common  polynomial 
can  compute  a  unique  link  key.  Once  an  adversary  collects 
t  shares  of  a  polynomial,  however,  any  link  key  computed 
using  shares  of  the  polynomial  are  compromised.  Shared-key 
discovery  and  path-key  establishment  phases  similar  to  those 
of  [4]  can  be  used  with  threshold  schemes. 

The  predistributed  seeds  of  a  general  KPS  can  take  the 
form  of  cryptographic  keys  as  in  [4]  or  polynomial  shares 
as  in  [10].  However,  additional  results  have  been  proposed 
which  change  the  way  in  which  link  keys  are  computed  from 
the  seeds.  Eor  example,  in  [3],  [5],  [7],  [9],  the  shared-key 
discovery  protocols  compute  a  link  keys  using  a  cryptographic 
hash  function  with  seeds  as  inputs.  Regardless  of  how  the 
seed  is  used,  the  shared-key  discovery  protocol  must  reveal 
information  pertaining  to  which  seeds  are  stored  in  each  WSN 
node  in  order  for  neighboring  nodes  to  determine  if  sufficient 
seeds  are  shared  to  establish  a  link  key.  Eor  example,  the 
authors  of  [4]  propose  the  transmission  by  each  node  of  the 
identifiers  (IDs)  of  the  seeds  contained  in  the  node,  noting  that 
this  might  reveal  too  much  information  to  an  adversary.  The 
authors  of  [4]  further  propose  the  use  of  a  private  shared-key 
discovery  protocol  based  on  encryptions  of  random  nonces 
in  order  to  reduce  the  amount  of  information  revealed  to  an 
adversary.  We  analyze  and  discuss  these  shared-key  discovery 
protocols  in  Section  III. 

The  primary  contribution  of  this  paper  is  presentation, 
analysis,  and  discussion  of  various  attacks  which  can  be 
performed  by  the  adversary  using  the  information  revealed 
during  the  shared-key  discovery  protocol.  We  investigate  the 
impact  of  various  KPS  attacks  and  discuss  possible  mitigation 
techniques. 

Eor  the  purposes  of  this  paper,  we  assume  that  the  adversary 
is  able  to  physically  capture  sensor  nodes  and  access  all 
information  stored  within  the  nodes.  Eurthermore,  we  assume 
the  adversary  is  able  to  eavesdrop  and  record  transmissions 
throughout  the  network  and  determine  which  WSN  node  is  the 
sender  and  receiver  of  each  transmission.  We  do  not  consider 
attacks  on  network  protocols  (including  node  replication,  node 
fabrication,  wormhole  attacks,  etc.)  other  than  those  directly 
involved  with  the  KPS. 

The  paper  is  organized  as  follows.  Section  II  discusses 
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several  adversarial  goals  and  corresponding  attacks  on  the 
KPS.  Section  III  discusses  the  information  required  in  order 
for  an  adversary  to  mount  the  attacks  discussed  in  Section  11. 
Section  IV  presents  possible  techniques  which  can  be  used  to 
mitigate  the  effects  of  the  attacks.  In  Section  V,  we  investigate 
the  effect  of  the  attacks  and  mitigation  techniques  on  the  KPS. 
In  Section  VI,  we  discuss  the  performance  of  KPSs  in  terms 
of  message  overhead  and  computational  complexity.  Finally, 
we  summarize  our  results  in  Section  VII. 

II.  Attacks  on  Key  Predistribution 

In  this  section,  we  investigate  KPS  attacks  which  can  be 
mounted  by  adversaries  with  different  goals.  We  consider 
adversaries  with  the  following  goals:  recovery  of  all  predis¬ 
tributed  seeds,  recovery  of  a  sufficient  set  of  predistributed 
seeds  to  compromise  all  links,  and  disconnection  of  the  WSN 
such  that  there  exist  nodes  which  cannot  exchange  informa¬ 
tion. 

A.  Recovery  of  All  Seeds 

We  first  consider  an  adversary  interested  in  recovering  all 
predistributed  seeds  which  exist  in  the  WSN.  We  consider  two 
possible  attacks  to  achieve  this  goal:  the  random  capture  attack 
and  the  seed-cover  attack. 

Random  capture  attack:  In  [4]  and  several  papers  that 
followed  (e.g.  [5],  [6],  [9],  [10]),  the  authors  assume  that 
the  adversary  captures  each  successive  node  at  random,  in¬ 
dependent  of  previously  captured  nodes.  This  situation  often 
corresponds  to  an  adversary  who  physically  captures  a  group 
of  nodes  before  accessing  the  information  within  the  sensors 
nodes. 

Seed-cover  attack:  In  [11],  the  authors  investigate  the  effect 
of  an  adversary  able  to  capture  nodes  in  a  sequence  using 
the  information  recovered  from  previously  capture  nodes.  We 
consider  the  problem  in  its  generality. 

The  attack  is  based  on  the  assumption  that  at  each  step  the 
adversary  can  determine  the  number  of  uncompromised  seeds 
contained  in  each  uncaptured  node  and  choose  to  capture  the 
node  with  the  maximum  number  of  uncompromised  seeds. 
The  adversary  is  interested  in  minimizing  the  number  of  nodes 
which  must  be  captured  in  order  to  recover  all  predistributed 
seeds.  However,  this  is  equivalent  to  solving  the  set-covering 
problem  [12],  known  to  be  NP-hard.  Hence,  we  provide  an 
algorithm  based  on  a  greedy  set-covering  heuristic  in  Fig.  1, 
where  S{i)  is  the  set  of  seeds  contained  in  node  i,  N  is 
the  total  network  size,  and  C  is  the  set  of  captured  nodes. 
According  to  [12],  this  greedy  algorithm  is  sub-optimal  by  at 
most  a  factor  In  (AT)  4-  1. 

KPS  schemes  which  rely  on  threshold  secret-sharing  [6], 
[10]  require  a  threshold  number  t  of  shares  of  each  secret 
to  be  compromised  before  links  using  the  secret  can  be 
compromised.  Thus,  a  slight  modification  must  be  made  to 
reflect  this  difference.  The  algorithm  for  the  seed-cover  attack 
on  threshold  schemes  is  given  in  Fig.  2. 


Seed-Cover  Attack  -  [4]  KPS: 

Given:  Sfl), . . . ,  S(N) 

X  -  Uii  sii) 

C  ^  0 

while  |A|  >  0  do 

h  ^  argmax„^c  \  X  n  S{n)\ 
X  ^X\  S{h) 

C  ^CU{n} 

end  while 


Eig.  1.  Greedy  seed-cover  attack  algorithm. 


Seed-Cover  Attack  -  Threshold  t  KPS: 

Given:  Sfl), . . . ,  S{N) 

X  -  Uii  s(i) 

c{x)  ^  oyx  G  X 

C  ^  0 

while  3*  e  X,  c{x)  <  t  do 
X  ^  arg  max{2;gx, c(a:)<t}  c{x) 
find  n  ^  C,x  G  S{n) 

for  all  X  G  S{n)  do 
c{x)  <—  c{x)  3-  1 
end  for 
C  ^  C  U  {n} 

end  while 

Eig.  2.  Greedy  seed-cover  attack  algorithm  for  KPS  based  on  threshold 
secret-sharing. 


B.  Recovery  of  Sufficient  Keys 

We  next  consider  an  adversary  interested  in  recovering  only 
the  predistributed  seeds  which  were  used  to  compute  link  keys, 
thus  compromising  all  of  the  links  in  the  WSN.  The  adversary 
can  choose  to  attack  either  the  set  of  all  possible  links  or  only 
links  that  have  been  established  in  the  WSN.  The  following 
attack  is  valid  for  either  of  these  cases. 

Link-cover  attack:  The  attack  is  based  on  the  assumption 
that  the  adversary  can  determine  the  set  of  seeds  used  to  secure 
each  link  in  the  network  and  choose  to  capture  the  node  which 
will  allow  the  adversary  to  compromise  the  maximum  number 
of  additional  links.  We  note  that  this  attack  is  fundamentally 
different  from  the  seed-cover  attack  because  not  all  seeds 
need  to  be  recovered  to  compromise  all  of  the  links  in  the 
network.  Letting  S{i)  denote  the  set  of  seeds  stored  in  node 
i,  the  adversary  can  construct  the  collection  of  sets  T*  = 
{S'(i)  n  S{j)  :  i  j}  \  {0},  where  each  element  represents 
the  set  of  seeds  shared  by  nodes  i  and  j.  The  collection  of 
subsets  of  S{i)  represent  the  possible  sets  of  seeds  used  to 
secure  links  incident  to  node  i.  Again,  we  see  that  the  optimal 
execution  of  the  link-cover  attack  is  equivalent  to  solving  the 
set-covering  problem  [12]  and  hence  is  NP-hard.  We  provide 
an  algorithm  based  on  a  greedy  set-covering  heuristic  in  Fig.  3 
which  is  suboptimal  by  at  most  a  factor  Arin(2)  3-  1. 

C.  Disconnecting  the  Network 

We  next  consider  an  adversary  interested  in  capturing  a 
sufficient  number  of  sensor  nodes  to  globally  disconnect  the 
WSN.  In  order  to  perform  such  an  attack,  sufficient  infor¬ 
mation  must  be  available  for  the  adversary  to  construct  the 
key  graph  representing  all  pairs  of  nodes  able  to  compute 


Link-Cover  Attack: 

Given:  5(1), . . . ,  S{N) 

^^{S{i)r\S{j):i^j}\m 

C  ^  0 

while  |<I>|  >  0  do 

h  ^  argmax„^c  \{X  £  <E>  :  V 

C  5(n)}| 

c&^{(.S(i)nS(j))\5(n):i 

C  ^  C  U  {h} 

end  while 

Fig.  3.  Greedy  link-cover  attack  algorithm. 


link  keys.  Once  the  key  graph  is  available,  the  adversary 
can  determine  a  separating  set  of  nodes  whose  removal  will 
disconnect  the  WSN.  The  choice  of  separating  set  can  depend 
on  the  formation  of  the  sensor  network,  flow  of  information, 
and  the  amount  of  effort  the  adversary  is  willing  to  expend. 

If  all  communications  are  carried  out  using  secure  single¬ 
hop  links,  the  adversary  may  not  have  to  reconstruct  the 
entire  key  graph.  Since  links  can  only  exist  between  nodes 
within  wireless  communication  range,  the  adversary  only  has 
to  consider  those  links  which  exist  in  the  key  graph  and  the 
geometric  random  graph  resulting  from  WSN  deployment. 
Thus,  the  adversary  may  be  able  to  disconnect  the  WSN  by 
removing  a  set  of  nodes  such  that  some  nodes  are  physically 
unreachable  from  the  remaining  network.  Such  an  attack  is 
thus  independent  of  the  KPS.  Hence,  we  are  only  concerned 
with  adversaries  interested  in  disconnecting  the  key  graph, 
independent  of  the  geometry  of  the  WSN. 

III.  Performing  Attacks 

In  order  to  perform  the  attacks  discussed  in  Section  II,  the 
adversary  must  collect  sufficient  information  by  eavesdropping 
on  network  traffic  and  capturing  nodes.  If  the  shared-key 
discovery  protocol  consists  of  a  plaintext  exchange  of  seed 
IDs,  the  adversary  can  plan  the  sequence  of  attack  events 
before  physically  disturbing  the  network. 

To  prevent  the  leakage  of  information  under  a  key  exchange 
in  plaintext,  the  authors  of  [4]  propose  the  use  of  a  private 
shared-key  discovery  protocol.  In  this  protocol,  each  node 
broadcasts 

Ct,  (g^)  ;  •  ■  •  j  ^Lk  (^)  7 

where  a  is  a  random  nonce  and  each  Li  represents  a  seed. 
Any  neighboring  node  able  to  decrypt  a  list  item  EL.{a)  to 
recover  a  can  determine  that  Li  is  shared  with  the  transmitting 
node. 

Random-capture  attack:  The  random-capture  attack  is 
equally  effective  under  any  shared-key  discovery  protocol,  as 
the  attacker  does  not  take  advantage  of  any  of  the  information 
revealed  by  the  shared-key  discovery  protocol.  Hence,  schemes 
which  are  not  concerned  with  attacks  other  than  random  cap¬ 
ture  need  not  consider  any  shared-key  discovery  mechanism 
other  than  the  exchange  of  seed  IDs. 

The  random-capture  attack  serves  as  the  baseline  for  com¬ 
parison  in  Section  V.  Under  a  random-capture  attack,  the 
scheme  of  [4]  results  in  a  probability  that  any  link  between 


uncaptured  nodes  is  compromised  given  that  x  nodes  have 
been  captured  given  by 

fail(x)  =  1  -  -  —  j  .  (1) 

Seed-cover  attack:  The  exchange  of  IDs  reveals  a  significant 
amount  of  information  to  an  adversary  performing  a  seed- 
cover  attack.  However,  we  now  show  that  the  use  of  a 
private  shared-key  discovery  protocol  reveals  just  as  much 
information.  Under  this  attack,  the  first  node  capture  is  random 
because  every  node  has  an  equal  number  of  uncaptured  keys. 
Once  the  first  node  is  captured,  the  adversary  can  play  the 
role  of  the  captured  node  in  the  private  neighbor  discovery 
protocol  and  simply  locate  the  node  which  shares  the  smallest 
number  of  keys. 

Link-cover  attack:  The  exchange  of  IDs  allows  for  seam¬ 
less  performance  of  a  link-cover  attack.  However,  the  use 
of  a  private  shared-key  discovery  protocol  does  not  allow 
the  adversary  to  determine  shared-key  relationships  between 
nodes  until  a  sufficient  number  of  the  keys  of  each  node 
are  already  captured.  Hence,  the  adversary  is  not  able  to 
efficiently  perform  a  link-cover  attack  when  a  private  shared- 
key  discovery  protocol  is  used. 

Disconnection  attack:  The  information  obtained  during  the 
exchange  of  IDs  allows  the  adversary  to  completely  recon¬ 
struct  the  key  graph  and  perform  a  disconnection  attack. 
Since  the  use  of  a  private  shared-key  discovery  protocol  hides 
the  key  graph  (except  compromised  links  due  to  captured 
nodes),  the  adversary  can  only  attempt  to  disconnect  the 
network  physically  by  disconnecting  the  geometric  random 
graph  representing  physical  node  communication. 

We  conclude  that  a  private  shared-key  discovery  protocol 
is  not  sufficient  to  prevent  the  seed-cover  attack.  However, 
since  the  attacker  cannot  determine  shared-key  relationships 
between  uncaptured  nodes  when  the  private  shared-key  discov¬ 
ery  protocol  is  used,  the  adversary  is  unable  to  mount  a  link- 
cover  or  disconnection  attack.  We  further  discuss  mitigation 
of  the  seed-cover  attack  in  the  next  section. 

IV.  Attack  Mitigation 

In  this  section,  we  discuss  techniques  which  can  be  used 
to  mitigate  the  effect  of  the  seed-cover  attack  presented  in 
Section  II.  We  discuss  the  use  of  private  ID  exchange  and 
further  investigate  the  impact  of  the  seed-cover  attack  on  a 
KPS. 

A.  Private  ID  Exchange 

Similar  to  the  private  shared-key  discovery  technique  pre¬ 
sented  in  [4],  we  consider  a  generic  idea  of  using  two 
independent  KPSs,  say  JCPSa  and  JCVS13,  to  exchange  seed 
IDs  privately.  After  exchanging  JCPSa  IDs  in  plaintext,  a  pair 
of  nodes  sharing  a  seed  in  JCPSa  can  compute  a  pairwise  key 
which  is  then  used  to  exchange  IDs  for  JCPSp.  In  this  scheme, 
the  link  key  is  computed  as  a  function  of  the  shared  JCPSa 
and  JCPSfj  seeds. 


compromised  links 


captured  nodes 


Fig.  4.  Revealing  of  seed  IDs  under  capture  of  x  nodes. 

However,  we  observe  that  even  very  small  number  of 
random  node  captures  could  reveal  seed  IDs  for  almost  every 
node.  If  the  adversary  knows  the  JCVSa  seed  which  is  used 
to  encrypt  and  exchange  JCVSp  IDs  between  a  pair  of  nodes, 
the  adversary  obtains  seed  IDs  of  JCPSp  for  the  two  nodes. 
Thus,  the  adversary  is  able  to  recover  information  from  nodes 
other  than  those  that  are  physically  captures.  By  capturing  x 
nodes,  the  adversary  is  able  to  recover  the  JCPSp  IDs  for  the  x 
captured  nodes,  any  physical  neighbors  of  the  captured  nodes 
which  shared  JCPSa  seeds,  and  nodes  which  are  incident  to 
links  that  are  compromised  due  to  the  capture  of  the  x  nodes. 
For  clarity,  this  scenario  is  illustrated  in  Fig.  4. 

For  simplicity,  we  only  focus  on  the  nodes  incident  with 
compromised  links.  Let  N  denote  the  total  network  size  and 
d  denote  the  average  number  of  nodes  in  the  neighborhood  of 
a  given  node.  In  addition,  let  pa  denote  the  probability  that  any 
pair  of  nodes  can  establish  a  link  key,  referred  to  as  the  local 
connectivity,  of  JCPSa-  Hence,  the  number  of  edges  between 
nodes  within  wireless  communication  range  that  can  establish 
a  link  key  is  approximately 

e  =  ]^Ndpa-  (2) 

We  look  at  this  problem  in  detail.  An  adversary  is  able  to 
obtain  the  seed  IDs  from  captured  nodes  and  their  neighbors. 
Since  the  number  of  such  neighbors  is  approximately  dpa,  the 
probability  that  the  set  of  IDs  is  revealed  in  this  way  is  about 
1  —  (1  —  ,  when  an  adversary  captures  x  random  nodes. 

As  another  possibility,  an  adversary  knows  the  set  of  IDs  if  any 
link  that  the  node  used  to  exchange  seed  IDs  is  compromised. 
Based  on  the  approximation  that  the  link  compromises  are 
all  independent,  the  overall  probability  failid(a;)  that  a  node 
reveals  its  seed  IDs  due  to  x  random  node  captures  is  estimated 
as 

faiux)  =  i-(i-^r  +  (i-^r 

X  (1-  (l-fail(a;))''P“) 

=  1  -  (1  -  ^)"(1  -  fail(x))‘'t’“  (3) 

where  fail(a;)  is  computed  over  JCPSa- 

We  consider  an  example  in  which  At  =  10,  000,  d  =  40, 
and  Pa  =  0.5.  If  by  capturing  small  number  of  nodes,  an 
adversary  is  able  to  compromise  5%  of  the  edges,  or  5,000 
edges,  the  number  of  nodes  incident  with  those  edges  might 
be  a  significant  fraction  of  the  total  network  size.  We  note  that 


a  node  can  be  incident  to  multiple  edges,  so  the  number  of 
nodes  would  still  be  less  than  N - 

With  the  same  parameters  as  above,  suppose  50  node 
captures  compromise  20%  of  the  links  between  uncaptured 
nodes.  Then  we  have 

faiU(50)  =  0.990,  (4) 

which  means  the  expected  fraction  of  nodes  with  key  identi¬ 
fiers  revealed  is  about  99.0%. 

Thus,  the  strategy  that  an  attacker  could  take  is  to  capture 
a  small  number  of  nodes  at  random,  reveal  the  seed  IDs  for 
JCPS/3  for  almost  every  node,  and  then  mount  a  seed-cover 
attack.  Hence,  two  or  more  layered  KPSs  do  not  provide 
additional  resilience  to  a  seed-cover  attack,  and  an  alternate 
method  is  required  to  mitigate  the  seed-cover  attack. 

B-  Mitigating  a  Seed-Cover  Attaclc 

In  light  of  the  discussion  on  private  shared-key  discovery 
in  Section  III  and  the  analysis  on  private  ID  exchange  in 
Section  IV-A,  further  investigation  is  needed  in  order  to 
discover  a  technique  for  mitigating  a  seed-cover  attack.  We 
make  the  following  claim,  which  is  proved  with  a  simple 
logical  argument. 

Claim  1:  Any  shared-key  discovery  protocol  of  a  single 
KPS  such  that  pairwise  keys  are  determined  by  the  set  of 
common  seeds  and  each  node  stores  a  constant  number  of 
seeds  is  susceptible  to  a  seed-cover  attack. 

Proof:  Assume  that  a  shared-key  discovery  protocol  is 
given,  each  node  contains  K  out  of  P  seeds,  and  the  adversary 
has  captured  one  node  s.  Assume  further  that  the  protocol  is 
such  that  the  adversary  cannot  use  the  information  recovered 
from  s  to  determine  the  number  of  seeds  in  a  node  n  that 
are  shared  with  s,  i.e.  a  seed-cover  attack  cannot  be  mounted. 
However,  this  suggests  that  s  and  n  were  not  able  to  execute 
a  protocol  to  determine  the  existence  of  a  shared  key  before  s 
was  captured,  and  the  protocol  is  not  an  effective  shared-key 
discovery  protocol.  ■ 

This  claim  suggests  that  it  may  be  possible  to  mitigate 
a  seed-cover  attack  if  we  allow  K  to  vary  between  nodes. 
Hence,  we  investigate  the  effect  of  allowing  nodes  to  hold 
varying  numbers  of  seeds  using  the  KPS  of  [4]  for  simplicity. 
We  assume  the  private  shared-key  discovery  protocol  of  [4]  is 
being  used,  so  only  the  seed-cover  attack  is  of  interest. 

For  each  node,  the  key  distribution  center  chooses  K 
uniformly  at  random  such  that  Ki  <  K  <  K2  and  assigns 
a  random  selection  of  K  keys  from  a  key  pool  of  size  P- 
During  the  shared-key  discovery  phase,  each  node  must  mask 
the  actual  number  of  seeds  it  contains  by  transmitting 

ct,  TT  (tr) , . . . ,  Elk  (^)  5  F'l , . . . ,  K2— k)  1 

where  each  I'i  is  a  random  nonce  and  tt  denotes  a  random 
permutation  of  the  given  elements.  This  prevents  the  adversary 
from  knowing  which  of  the  quantities  not  corresponding  to 
shared  keys  are  unshared  keys  and  which  are  useless  informa¬ 
tion,  thus  reducing  the  effectiveness  of  the  seed-cover  attack. 
Such  a  scheme  can  be  analyzed  by  noting  that  the  average 
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Fig.  5.  Comparison  between  KPS  of  [4]  with  P  =  28, 140  and  K  =  100 
and  the  modified  KPS  with  P  =  28, 140  and  K  random  between  Ki  =  80 
and  K2  =  120. 


number  of  keys  stored  in  each  node  is  Kavg  =  .  Hence, 

local  connectivity  can  be  estimated  as 

!.  ,.v, s i:  1-' ’ 


(K^  -Ki  +  1)2 


i=Ki  j=Ki 
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and  the  resilience  to  node  capture  can  be  estimated  as 

K2  .  \  ® 


fail(a;)  =  1  —  1  — 
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Fig.  6.  Simulation  of  attacks  on  KPS  of  [4]  for  iV  =  1,  000  and  K  =  50. 
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Fig.  7.  Simulation  of  attacks  on  threshold  KPS  for  =  1,  000,  K  =  10, 
and  t  =  5. 


Example  1:  We  compare  a  KPS  with  P  =  28, 140  and  K  — 
100  to  a  modified  KPS  with  P  =  28, 140,  Ki  =  80,  and 
K2  =  120.  The  local  connectivity,  average  key  storage,  and 
the  value  of  the  function  fail(a:)  is  thus  equivalent  for  both 
schemes.  Since  the  modified  KPS  uses  a  randomized  value  of 
K,  the  resilience  to  a  seed-cover  attack  is  reduced  to  that  of 
a  random-capture  attack,  given  by  (1).  The  function  fail(a:)  is 
plotted  for  each  scheme  under  random-capture  and  seed-cover 
attacks  in  Fig.  5. 


threshold  t  is  reached  for  a  given  secret.  In  this  case,  we  must 
use  the  modified  version  of  the  seed-cover  attack  given  in 
Fig.  2.  Furthermore,  we  note  that  the  link-cover  and  seed- 
cover  attacks  are  nearly  identical  for  threshold  schemes.  In 
Fig.  7,  we  plot  the  simulated  value  of  fail(x)  for  such  a  KPS 
where  =  1, 000  nodes  are  deployed  with  shares  of  AT  =  10 
of  the  P  =  90  secrets  using  a  threshold  of  f  =  5.  The  plot 
demonstrates  the  difference  between  the  random-capture  and 
seed-cover  attacks. 


V.  Simulations 

We  provide  simulation  results  to  demonstrate  the  effect  of 
the  attacks  presented  in  Section  II.  Furthermore,  we  provide 
simulation  results  corresponding  to  the  mitigation  techniques 
proposed  in  Section  IV. 

In  Fig.  6,  we  simulate  fail(a;)  for  a  KPS  as  in  [4]  where 

=  1, 000  nodes  are  deployed  with  K  =  50  keys  each  from 
a  key  pool  of  size  P  =  2, 156.  We  plot  the  resulting  fail(x) 
versus  x  for  the  random-capture,  seed-cover,  and  link-cover 
attacks  assuming  that  IDs  are  exchanged  in  plain  text. 

In  addition  to  KPSs  based  on  the  scheme  from  [4],  we  are 
interested  in  schemes  based  on  threshold  secret-sharing,  such 
as  [6],  [10],  in  which  links  are  compromised  as  soon  as  the 


VI.  Discussion 

In  a  model  presented  in  [4],  the  shared-key  discovery 
phase  occurs  only  when  two  sensor  nodes  are  within  wireless 
communication  range.  Then  the  total  connectivity  of  the  WSN 
is  represented  by  the  intersection  of  the  geometric  random 
graph  representing  the  physical  layer  and  the  key  graph. 

If  we  relax  the  constraint  and  allow  for  shared-key  discovery 
to  execute  between  distant  nodes  by  relaying  messages  via 
intermediate  nodes,  then  any  pair  of  nodes  can  establish  a  link 
key  even  though  the  intersection  of  the  physical  layer  and  the 
key  graph  is  not  connected,  as  long  as  the  physical  layer  and 
key  graph  are  each  connected.  If  a  node  s  wants  to  establish 


a  pairwise  key  with  s',  then  it  finds  a  path 

S  —  Si  —  ...  —  Sjyi  —  s' 

in  the  key  graph  and  uses  the  intermediate  links  to  exchange 
a  random  key  k  in  encrypted  form.  In  other  words,  s  sends 
^ks  31  {k)  to  Si,  Si  sends  (k)  to  S2,  and  so  on  until  s' 

receives  ,{k)  from  Sm- 

A  KPS  with  a  low  local  connectivity  would  show  a  stronger 
resilience  to  attacks  compared  to  a  KPS  of  a  high  local 
connectivity  in  the  resulting  network  (with  key  storage  fixed). 
In  return,  the  establishment  of  link  keys  in  a  neighborhood 
would  require  a  higher  transmission  overhead  since  paths 
between  two  nodes  would  be  longer  and  the  number  of  such 
paths  would  be  even  smaller. 

Since  a  private  shared-key  discovery  protocol  (based  on 
the  encryptions  of  random  nonces)  also  requires  more  com¬ 
putational  complexity  for  encryption/decryption  and  message 
overheads  (128-256  bits  per  key),  the  distribution  center  should 
carefully  choose  whether  it  takes  a  KPS  with  a  low  local 
connectivity  based  on  plaintext  ID  exchange  protocol  or  a  KPS 
with  a  higher  local  connectivity  based  on  a  private  shared-key 
discovery  protocol. 

VII.  Summary 

We  have  shown  that  various  attacks  on  key  predistribution 
schemes  in  WSN  can  be  modeled  using  the  set-covering 
problem.  We  present  a  collection  of  such  attacks  which  require 
the  adversary  to  either  solve  an  NP-hard  problem  or  choose  a 
suboptimal  solution.  We  have  shown  that  no  protocol  requiring 
a  contant  number  of  predistributed  seeds  for  a  single  KPS 
system  in  each  node  can  be  secure  against  the  seed-cover 
attack.  In  order  to  mitigate  the  effects  of  a  seed-cover  attack, 
we  proposed  the  randomization  of  the  number  of  seeds  K 
stored  in  each  node. 
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Appendix 

The  function  fail(a;)  for  a  seed-cover  attack  on  the  KPS  of 
[4]  can  be  expressed  recursively  as 


fail(a;)  =  fail(a;  —  1)  -f  (1  —  fail(a;  —  1))  q{x)  (7) 


where  q{x)  is  the  probability  that  a  link  which  was  uncom¬ 
promised  after  {x  —  1)  nodes  were  captured  is  compromised 
when  the  xth 

node  is  captured.  Given  that  fail(O)  =  0,  the 
closed-form  solution  for  fail(a;)  is  given  by 

X  X 

fail(a;)  =  q{i)  0  “  lU))  ■  (8) 

i—1  j—i^l 

The  probability  q{x)  is  a  function  of  the  number  of  seeds 
Mx-i  contained  in  the  (x  —  1)  previously  captured  nodes  and 
the  maximum  number  of  uncaptured  keys  kmax,x  contained 
in  one  of  the  remaining  nodes,  both  of  which  are  random 
variables.  Given  M^-i  =  m  and  kmax,x  =  k,  the  probability 
that  a  given  uncaptured  seed  is  captured  in  the  x*^  node  is 
-pf^-  Hence,  the  probability  q{x)  is  thus  given  by 


K 


q{x)  =  57  57  - Pr[M^_i  =  m,  k,nax,x  =  k],  (9) 


P  —  m 

m—K  k—Q 

where  Pr\Mx-i  =  to,  kmax,x  =  k]  is  the  joint  distribution 
of  M^_i  and  kmax,x-  The  probability  Pi{m)  that  a  node 
contains  exactly  i  uncaptured  seeds  when  to  of  the  P  seeds 

z  ) 

are  compromised  can  be  computed  as  Pi{m)  =  - — 

(k) 


Hence,  the  probability 
computed  as 


=  k\Mx_i  =  to]  can  be 


Pr[kmax,x  =  k\Mx^i  =  to]  =  ci-pkim)  ^5^p^(to)^ 


N-x-2 


(10) 


where  ci  is  a  normalizing  constant  to  ensure  the  probability 
sums  to  1  over  all  values  of  k.  The  probability  Pr[Mx-i  =  to] 
can  be  computed  recursively  as 


K 

Pr[M^_i  =  to]  =  C2  57  P'r[Mx_2  =  m-  k,  kmax,x-i  =  k] 

k=0 

(11) 

where  C2  is  a  normalizing  constant  to  ensure  the  probability 
sums  to  1  over  all  values  of  to.  The  given  equations  can  then 
be  combined  to  yield  an  expression  for  fail(a;)  for  a  seed-cover 
attack  on  the  KPS  of  [4]. 


